Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1198206
  • 博文数量: 253
  • 博客积分: 5892
  • 博客等级: 大校
  • 技术积分: 1942
  • 用 户 组: 普通用户
  • 注册时间: 2011-02-24 14:20
文章分类

全部博文(253)

文章存档

2012年(98)

2011年(155)

分类: 网络与安全

2011-11-27 17:26:18

One common application of client side PKI certificates is 802.1x network authentication using EAP/TLS to present the client's identity to the server. Unlike many other EAP types, EAP/TLS does not transmit a password from the supplicant to the server, which is better network security.

This page explains how to build the FreeRadius server (v1.0.4 was current at the time) and configure it to be used for 802.1x network authentication and EAP/TLS.


Dependencies

This procedure should work for servers running most Linux distributions. The machine we used for testing had RedHat version 9 installed. 802.1x authentication worked using clients on Windows XP, Mac OS X and Linux.

Cisco and Aruba wireless access points were used in the network.

Note that FreeRadius requires OpenSSL 0.9.7 or later. If the base system needs to be upgraded, It's easiest do that first. The FreeRadius documentation suggests that it is possible to build another copy of OpenSSL for FreeRadius when a system upgrade isn't possible. We did not use that technique.

The rlm_eap_tls module was improved after version 0.9.2 which had not worked with the supplicant in Windows XP. Versions starting with 1.0.2 of FreeRadius did work successfully.


Build FreeRadius


Expand the tar file in /usr/local/src/freeradius (you'll need root privileges to work there).

Build freeradius as follows:

  1. cd /usr/local/src/freeradius/
  2. ./configure --with-rlm-eap-tls-include-dir=/usr/kerberos/include/
  3. make
  4. make install

[Note:the configure switch is needed because of the unusual location of the kerberos include files on Red Hat Linux. Kerberos is referenced by openssl, which is referenced by rlm_eap_tls. If configure doesn't find kerberos (which includes openssl/ssl.h) it skips building rlm_eap_tls. This switch should not be necessary if kerberos is in the usual location]

The binaries and libraries are installed in /usr/local by default.

To build FreeRadius in another directory eg. "usrrad/local/", set the prefix option when running "configure":

  1. ./configure --prefix=/usrrad/local --with-rlm-eap-tls-include-dir=/usr/kerberos/include
  2. make
  3. make install
Configure FreeRadius

The configuration files are by default at: /usr/local/etc/raddb/
The main config file is radiusd.conf. No modifications to it are needed.

To configure the RADIUS server to use EAP-TLS authentication, modify "eap.conf" as follows:

  • set default-eap-type to tls.
  • uncomment the section for tls.
  • configure the private_key_file and certificate_file with the PEM format server certificate.
  • enter the private_key_password of the server certificate.
  • set the CA_file to be the certificate of your local root CA.
  1. Sample diff output:
  2. < default_eap_type = md5
  3. ---
  4. > default_eap_type = eap
  5. ---
  6. < #tls {
  7. < # private_key_password = password
  8. < # private_key_file = /path/filename
  9. ---
  10. > tls {
  11. > private_key_password = my-password
  12. > private_key_file = /usr/local/radius/certs/my-radius-cert.pem

  13. < # certificate_file = /path/filename
  14. ---
  15. > certificate_file = /usr/local/radius/certs/my-radius-cert.pem

  16. < # CA_file = /path/filename
  17. ---
  18. > CA_file = /usr/local/radius/certs/DartCA1.crt

  19. < # dh_file = /path/filename
  20. < # random_file = /path/filename
  21. < #}
  22. ---
  23. > dh_file = /dev/null
  24. > random_file = /dev/urandom
  25. -----
  26. > # fragment_size = 1024
  27. # include_length = yes

  28. > fragment_size = 1024
  29. include_length = yes
  30. > }

The "clients.conf" file tells the RADIUS server what NAS are allowed to contact the RADIUS server. There are default entries commented out to use as a guide. For example you could set it to expect connections from NAS in the local IP range x.y.0.0/16. You need to provide a secret that the RADIUS server and the NAS share. You need to set up the access point to use this secret.

  1. #
  2. # You can now specify one secret for a network of clients.
  3. # When a client request comes in, the BEST match is chosen.
  4. # i.e. The entry from the smallest possible network.
  5. #

  6. client x.y.0.0/16 {
  7. secret = your-secret-here
  8. shortname = Your-University
  9. }

The "users" file includes the user accounts. Since with EAP-TLS, we don't need to know the name of the supplicant, a DEFAULT entry that catches everyone is added:

  1. DEFAULT Auth-Type := EAP
  2. Tunnel-Type = 13,
  3. Tunnel-Medium-Type = 6,
  4. Tunnel-Private-Group-Id = 1
  5. #DEFAULT Auth-Type = System
  6. # Fall-Through = 1

This example entry expects users to use EAP, and sets the tunneling RADIUS attributes that puts the user onto VLAN 1. The values for Tunnel-Type and Tunnel-Medium-Type mean that we are using VLANs, where the Tunnel-Private-Group-Id is the VLAN ID #.

Create the /usr/local/radius/certs directory and copy the root cert and the server cert requested for the radius server there.



Dartmouth College PKI Lab
Written by: Robert Brentrup
Last update: 23 August 2005

阅读(1460) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~